Tech

List of new Group Policy in Windows 10 version 1903 & Windows 1909

Along with the new features and setting Microsoft release new group policy setting which help the feature control centrally through domain server. I have compiled a list of new setting Microsoft has introduced in the Windows 10 version 1903 and Windows 10 version 1909. Hope this will be helpful whoever is looking for.

List of New Group Policy setting in the Windows 10 version 1903 and Windows 10 version 1909.

Scope Release Version Policy Path Help Text
Machine 1903 Windows Components\App Privacy This policy setting specifies whether Windows apps can be activated by voice.If you choose the “User is in control” option employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device.If you choose the “Force Allow” option Windows apps are allowed to be activated with a voice keyword and employees in your organization cannot change it.If you choose the “Force Deny” option Windows apps are not allowed to be activated with a voice keyword and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device.This policy is applied to Windows apps and Cortana.
Machine 1903 Windows Components\App Privacy This policy setting specifies whether Windows apps can be activated by voice while the system is locked.If you choose the “User is in control” option employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.If you choose the “Force Allow” option users can interact with applications using speech while the system is locked and employees in your organization cannot change it.If you choose the “Force Deny” option users cannot interact with applications using speech while the system is locked and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.This policy is applied to Windows apps and Cortana. It takes precedence of the Allow Cortana above lock policy. This policy is applicable only when Allow voice activation policy is configured to allow applications to be activated with voice.
Machine 1903 Windows Components\Credential User Interface If you turn this policy setting on local users won’t be able to set up and use security questions to reset their passwords.
Machine 1903 Windows Components\Data Collection and Preview Builds AllowCommercialDataPipeline opts the device into the Windows enterprise data pipeline. If you enable this setting data collected from the device will be opted into the Windows enterprise data pipeline. If you disable or don’t configure this setting all data from the device will be collected and processed in accordance with our policies for the Windows standard data pipeline. Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows not third-party apps or services running on Windows 10.
Machine 1903 Windows Components\Delivery Optimization Set this policy to delay the fallback from Cache Server to the HTTP source for a background content download by X seconds. Note: if you set the policy to delay background download from http it will apply first (to allow downloads from peers first).
Machine 1903 Windows Components\Delivery Optimization Set this policy to delay the fallback from Cache Server to the HTTP source for a foreground content download by X seconds. Note: if you set the policy to delay foreground download from http it will apply first (to allow downloads from peers first).
Machine 1903 System\Logon This policy setting disables the acrylic blur effect on logon background image. If you enable this policy the logon background image shows without blur. If you disable or do not configure this policy the logon background image adopts the acrylic blur effect.
Machine 1903 System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it’s applied to their domains/IT environments.Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied.Enabling this policy allows you to configure how recommended troubleshooting is applied on the users device. You can select from one of the following values:0 = Turn this feature off.1 = Turn this feature off but still apply critical troubleshooting.2 = Notify users when recommended troubleshooting is available then allow the user to run or ignore it.3 = Run recommended troubleshooting automatically and notify the user after it’s been successfully run.4 = Run recommended troubleshooting automatically without notifying the user.5 = Allow the user to choose their own recommended troubleshooting settings.After setting this new setting to trigger recommended troubleshooting for devices in your domain follow these instructions:1. Create a bat script with the following contents:rem The following batch script triggers Recommended TroubleshootingC:\Windows\System32\mitigationscanner.exe2. To create a new immediate task navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings. 3. Under Control Panel settings right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).4. Provide name and description as appropriate then under Security Options set the user account to System and select the Run with highest privileges checkbox.5. In the Actions tab create a new action select Start a Program as it’s type then enter the file created in step 1.6. Configure the task to deploy to your domain.
Machine 1903 System\Service Control Manager Settings\Security Settings This policy setting enables process mitigation options on svchost.exe processes.If you enable this policy setting built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.This includes a policy requiring all binaries loaded in these processes to be signed by microsoft as well as a policy disallowing dynamically-generated code.If you disable or do not configure this policy setting these stricter security settings will not be applied.
Machine 1903 System\Storage Sense Storage Sense can automatically clean some of the users files to free up disk space. By default Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the “Configure Storage Sense cadence” group policy.Enabled:Storage Sense is turned on for the machine with the default cadence as during low free disk space. Users cannot disable Storage Sense but they can adjust the cadence (unless you also configure the “Configure Storage Sense cadence” group policy). Disabled:Storage Sense is turned off the machine. Users cannot enable Storage Sense.Not Configured:By default Storage Sense is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings.
Machine 1903 System\Storage Sense Storage Sense can automatically clean some of the users files to free up disk space.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect.Enabled:You must provide the desired Storage Sense cadence. Supported options are: daily weekly monthly and during low free disk space. The default is 0 (during low free disk space). Disabled or Not Configured:By default the Storage Sense cadence is set to during low free disk space. Users can configure this setting in Storage settings.
Machine 1903 System\Storage Sense When Storage Sense runs it can delete the users temporary files that are not in use.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect. Enabled:Storage Sense will delete the users temporary files that are not in use. Users cannot disable this setting in Storage settings. Disabled:Storage Sense will not delete the users temporary files. Users cannot enable this setting in Storage settings.Not Configured:By default Storage Sense will delete the users temporary files. Users can configure this setting in Storage settings.
Machine 1903 System\Storage Sense When Storage Sense runs it can delete files in the users Recycle Bin if they have been there for over a certain amount of days.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect.Enabled:You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Support values are: 0 – 365.If you set this value to zero Storage Sense will not delete files in the users Recycle Bin. The default is 30 days.Disabled or Not Configured:By default Storage Sense will delete files in the users Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings.
Machine 1903 System\Storage Sense When Storage Sense runs it can delete files in the users Downloads folder if they have been there for over a certain amount of days.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect.Enabled:You must provide the minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it. Support values are: 0 – 365.If you set this value to zero Storage Sense will not delete files in the users Downloads folder. The default is 0 or never deleting files in the Downloads folder. Disabled or Not Configured:By default Storage Sense will not delete files in the users Downloads folder. Users can configure this setting in Storage settings.
Machine 1903 System\Storage Sense When Storage Sense runs it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect.Enabled:You must provide the number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it. Support values are: 0 – 365.If you set this value to zero Storage Sense will not dehydrate any cloud-backed content. The default value is 0 or never dehydrating cloud-backed content.Disabled or Not Configured:By default Storage Sense will not dehydrate any cloud-backed content. Users can configure this setting in Storage settings.
Machine 1903 Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections.If you enable or do not configure this policy setting Remote Desktop Connections will use WDDM graphics display driver.If you disable this policy setting Remote Desktop Connections will NOT use WDDM graphics display driver. In this case the Remote Desktop Connections will use XDDM graphics display driver.For this change to take effect you must restart Windows.
Machine 1903 Windows Components\Windows Defender Antivirus\Security Intelligence Updates This policy setting allows you to define the security intelligence location for VDI-configured computers. If you disable or do not configure this setting security intelligence will be referred from the default local source.
Machine 1903 Windows Components\Windows Update This policy lets you specify the number of days that a user has before quality and feature updates are installed on their devices automatically and a grace period after which required restarts occur automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.Deadlines for feature updates and quality updates can be up to 30 days. The auto-restart grace period can be from 0 to 7 days.You can also disable auto-restarts until the end of the auto-restart grace period.If you disable or do not configure this policy devices will get updates and will restart according to the default schedule.This policy will override the following policies: 1. Specify deadline before auto restart for update installation 2. Specify Engaged restart transition and notification schedule for updates 3. Always automatically restart at the scheduled time 4. No auto-restart with logged on users for scheduled automatic updates installation
Machine 1903 Windows Components\Windows Logon Options This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose Disabled in the Sign-in and lock last interactive user automatically after a restart policy then automatic sign on will not occur and this policy does not need to be configured.If you enable this policy setting you can choose one of the following two options:1. Enabled if BitLocker is on and not suspended specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the devices hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: – The device doesn’t have TPM 2.0 and PCR7 or – The device doesn’t use a TPM-only protector 2. Always Enabled specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.If you disable or don’t configure this setting automatic sign on will default to the Enabled if BitLocker is on and not suspended behavior.
Machine 1909 Device Installation\Device Installation Restrictions This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the “Prevent installation of devices not described by other policy settings” policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
Machine 1909 System\Device Installation\Device Installation Restrictions This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
Machine 1909 Windows Components\Internet Explorer If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List.
Machine 1909 Windows Components\Microsoft Edge With this policy, you can print PDF files based on per page orientation in Microsoft Edge. If enabled, mixed mode printing is allowed. If disabled, mixed mode printing is not allowed.
User 1909 Windows Components\Microsoft Edge With this policy, you can print PDF files based on per page orientation in Microsoft Edge. If enabled, mixed mode printing is allowed. If disabled, mixed mode printing is not allowed.
4 Likes

Hi @tjnihal,

Thank you for the combined list on Windows 10 version 1903 and Windows 10 version 1909 new group policy. Can you please post the new group policy setting introduced on Windows 10 version 2004 also?

Thanks

3 Likes

New Windows 10 2004 policy settings

Here you go @Palmer.

A full list of all added policy settings in Windows 10 and Windows Server, version 2004, is embedded in the table below.

Policy Setting Policy Path
Minimum password length audit Security Settings\Account Policies\Password Policy
Relax minimum password length limits Security Settings\Account Policies\Password Policy
Domain controller: LDAP server channel binding token requirements Security Settings\Local Policies\Security Options
Turn on security key sign-in System\Logon
Prevent non-admin users from installing packaged Windows apps Windows Components\App Package Deployment
Let Windows apps access user movements while running in the background Windows Components\App Privacy
Cache Server Hostname Source Windows Components\Delivery Optimization
Maximum Background Download Bandwidth (in KB/s) Windows Components\Delivery Optimization
Maximum Foreground Download Bandwidth (in KB/s) Windows Components\Delivery Optimization
Configure which channel of Microsoft Edge to use for opening redirected sites Windows Components\Internet Explorer
Enable file hash computation feature Windows Components\Microsoft Defender Antivirus\MpEngine
Select the target Feature Update version Windows Components\Windows Update\Windows Update for Business
Allow Graphing Calculator Windows Components\Calculator
Configure Japanese IME version Windows Components\IME
Configure Simplified Chinese IME version Windows Components\IME
Configure Traditional Chinese IME version Windows Components\IME
Configure which channel of Microsoft Edge to use for opening redirected sites Windows Components\Internet Explorer